👷 Update dependency next to v16.2.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	16.1.7 → 16.2.3

---

Next.js has a Denial of Service with Server Components

GHSA-q4gf-8mx6-v5v3

More information

Details

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this changelog.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3
• https://vercel.com/changelog/summary-of-cve-2026-23869
• https://github.com/advisories/GHSA-q4gf-8mx6-v5v3

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vercel/next.js (next)

v16.2.3

Compare Source

v16.2.2

Compare Source

v16.2.1

Compare Source

v16.2.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cit-pr-commenter-54b7da]

Bundles Sizes Evolution

📦 Bundle Name	Base Size	Local Size	𝚫	𝚫%	Status
Rum	179.65 KiB	179.65 KiB	0 B	0.00%	✅
Rum Profiler	6.17 KiB	6.17 KiB	0 B	0.00%	✅
Rum Recorder	27.03 KiB	27.03 KiB	0 B	0.00%	✅
Logs	56.78 KiB	56.78 KiB	0 B	0.00%	✅
Rum Slim	135.50 KiB	135.50 KiB	0 B	0.00%	✅
Worker	23.63 KiB	23.63 KiB	0 B	0.00%	✅

🚀 CPU Performance

Action Name	Base CPU Time (ms)	Local CPU Time (ms)	𝚫%
RUM - add global context	0.0069	0.0056	-18.84%
RUM - add action	0.0205	0.0187	-8.78%
RUM - add error	0.0151	0.0192	+27.15%
RUM - add timing	0.0031	0.0036	+16.13%
RUM - start view	0.0146	0.0136	-6.85%
RUM - start/stop session replay recording	0.0009	0.0009	0.00%
Logs - log message	0.0233	0.0231	-0.86%

🧠 Memory Performance

Action Name	Base Memory Consumption	Local Memory Consumption	𝚫
RUM - add global context	31.08 KiB	32.00 KiB	+935 B
RUM - add action	57.08 KiB	57.10 KiB	+24 B
RUM - add timing	32.46 KiB	32.52 KiB	+57 B
RUM - add error	60.73 KiB	60.85 KiB	+123 B
RUM - start/stop session replay recording	32.21 KiB	32.13 KiB	-83 B
RUM - start view	485.24 KiB	484.55 KiB	-705 B
Logs - log message	98.02 KiB	97.32 KiB	-714 B

🔗 RealWorld

[datadog-prod-us1-4]

✨ Fix all issues with BitsAI or with Cursor

⚠️ Warnings

🧪 5 Tests failed

serializeNodeAsChange for snapshotted documents for a simple document when the <html> element's privacy level is ALLOW matches the snapshot from Firefox 67.0 (Windows 10)     (Fix with Cursor)

Error: Timeout - Async function did not complete within 10000ms (set by jasmine.DEFAULT_TIMEOUT_INTERVAL) in node_modules/jasmine-core/lib/jasmine-core/jasmine.js (line 8638)
<Jasmine>

base plugin: nextjs app router › router › should normalize dynamic routes and preserve real URLs and referrers from plugins/nextjsPlugin.scenario.ts     (Fix with Cursor)

basePluginRouterTests.ts:36:27 should normalize dynamic routes and preserve real URLs and referrers

[chromium] › plugins/basePluginRouterTests.ts:36:27 › base plugin: nextjs app router › router › should normalize dynamic routes and preserve real URLs and referrers 

    Test timeout of 30000ms exceeded.

    Error: page.evaluate: Target page, context or browser has been closed

       at ../lib/framework/waitForRequests.ts:15

...

base plugin: nextjs app router › router › should not create a new view when query params change from plugins/nextjsPlugin.scenario.ts     (Fix with Cursor)

basePluginRouterTests.ts:96:27 should not create a new view when query params change

[chromium] › plugins/basePluginRouterTests.ts:96:27 › base plugin: nextjs app router › router › should not create a new view when query params change 

    Test timeout of 30000ms exceeded.

    Error: page.evaluate: Target page, context or browser has been closed

       at ../lib/framework/waitForRequests.ts:15

...

View all

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 77.02% (+0.01%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 613eedc | Docs | Datadog PR Page | Give us feedback!}

[bcaudan]

I have done some investigation on this one in #4375 but did not go through as I am not so familiar with the topic.
@BeltranBulbarellaDD as you may have more insight on that, it could be worth a look to see if the e2e failures are only related to our test implementation or if there is more to it.